Monday, December 12, 2022

Old is New: Remote firewall administration without a network

 I have a sleepless two-month old, a toddler, and a full-time technical job, so I really don't want to do much home-IT when I don't have to. Unfortunately life had different plans. Somewhere nearby a branch fell of power cables and I didn't have power for 3 hours. My firewall is PFSense, running in Protectli Vault mini-PC in my garage. It is connected to UPS, but after 3 hours the battery was drained and the machine shut down. I'm not quite sure why but PFSense bootloader didn't want to boot the defaults after 30 seconds and wanted me to press the enter key instead. The location my firewall is mounted at has little to no convenience as far as a monitor or keyboards so before I knew what I had to do I needed to haul a monitor, portable desk, and keyboard to my garage, all while my toddler is clinging to my leg begging to take her with me after I've been awake since 2am holding a newborn with bad reflux so that my wife could get a little nap too. Not an experience I want to repeat. 

So what can we do to avoid such events in the future? Well if I don't want to bring a monitor to my firewall then I need to bring the firewall to the monitor. Or use a long cable. Luckly PFSense's bootloader supports getting input from a Serial Console. What this means is that as long as I can run a serial cable from my firewall to some other PC I'll be able to interact with the bootloader. Potentially this means I can even install a PFSense from scratch this way, though accessing the BIOS settings is still going to be an issue. Protectli Vault conveniently provides serial port output as an RJ-45 jack and I already had a spool of network cable and string drops all over the house from wiring the actual network. All I had to do was to make another cable run from the firewall to my office tap it into a new keystone jack. Technically I didn't need to tap all 4 pairs of the cat6 to achieve serial connectivity, but I figured I'm already there so might as well. While the Serial Port has some additional pins, you only need 2 for using a serial console - receiving wire and transmitting wire. 

From there we need to get the signal into my desktop. Depending on your equipment you may already have a Serial Port in your machine but it's likely a DB9 port. My desktop actually has a serial port on the motherboard but it's just a DIP header - so technically I can trace which 2 wires of the network cable are RX and TX pins and plug those directly into my motherboard. But that looks a bit ugly. I ended up buying a DB9 to RJ45 adapter and then getting a Serial USB converter. Connect the adapter and my workstation reports:

 
 $ dmesg | grep tty
[ 423.050477] usb 1-4: pl2303 converter now attached to ttyUSB0
 

This also means that we now have a /dev/ttyUSB0 device.All that's left so to connect serial console to it. The two most prominent ways of doing so is either a tool called Minicom or Screen. I already use screen a lot for my other endeavors so I prefer it over minicom, but I've used both. Now all we need is to know the baud rate at which PFSense transmit symbols over the wire. According to the PFSense Manual it's 115200 symbols per second. So we can launch the session with

$ screen /dev/ttyUSB0 115200

At this point you can turn your firewall on and soon you'll see the bootloader messages here. However if your firewall is already on try pressing some keys on your keyboard - you'll likely to see either a terminal prompt ( # ) or the bootloader input.

No comments:

Post a Comment

Halfedge meshes

 It's been a long time since my last post. I've started and abandoned new projects, but something also stuck. I've started makin...